Massachusetts Hospital Reports 800,000 Personal Records Missing

By Brian T. Horowitz |
Posted 2010-07-21

A Massachusetts hospital is
under scrutiny after hundreds of thousands of patient and employee records went
missing earlier this year. The missing files underscore the problems health
care providers face when balancing patient privacy and the need to store
massive amounts of data, especially as new federal rules for electronic health
records come into play.

South Shore
Hospital, in South Weymouth, Mass., reported July 19 that it's
investigating the potential loss of 800,000 backup files containing personal,
health and financial information of patients, physicians and other individuals
connected with the medical facility.

The files were sent to a data-management company to be destroyed on Feb. 26,
but the hospital was informed on June 17 that only a portion of the backup
records had been received and destroyed. It's unknown at what point the files
disappeared during the four-month period.

"We engaged a professional data-management company to arrange for the
destruction and shipping and it was within this shipping process that these
files were lost," Sarah Darcy, spokesperson for South
Shore Hospital,
told eWEEK. "It was not
something that happened on our campus."

South Shore
provides acute, outpatient, home health and hospice care and is the largest
independently operated hospital in Eastern Massachusetts.

The files may contain information from patients, employees, physicians,
volunteers, donors, vendors and other business partners who were affiliated
with the hospital between Jan. 1, 1996,
and Jan. 6, 2010.

South Shore
said it arranged for the files to be destroyed because they were in a file
format it no longer uses. According to the hospital, the files may contain
personal information such as Social Security numbers, driver's license numbers,
data on diagnoses and treatment, and bank account and credit-card information.

The hospital has been in contact with the Massachusetts' Attorney General's
office and Department of Public Health, as well as with the U.S. Department of
Health and Human Services on this matter, but wouldn't disclose the name of the
data-management company or what type of storage device was involved.

The hospital will notify affected individuals in the coming weeks. In the
meantime, it is directing people who may be affected to notify credit agencies
of possible theft.

Darcy declined to provide specifics because of the ongoing investigation, but
she expressed regret for the incident and said the hospital will make sure the
problem doesn't reoccur.

"We've apologized and want to apologize as much possible because, in
the end, we take responsibility for it," said Darcy. "We are
reviewing the policies and procedures, and the outcome of that review will
certainly prevent this from ever happening again. Exactly what steps that will
be taken post-review I can't say yet, because the review is still under
way."

Darcy insisted that it's unlikely the missing data has been accessed.

"There is no evidence from our investigation or from anything that has
been reported to the Massachusetts AG's office that any of this information has
been accessed-no evidence whatsoever," said Darcy. "It would take
special equipment, special software and special knowledge and technical skills
to access any of the information on the files, let alone decipher it."